Microsoft Visual FoxPro FPOLE.OCX ActiveX control buffer overflow (HTML_FoxPro_ActiveX_Overflow)

About this signature or vulnerability

Proventia-G 1.1 and earlier, Proventia Server IPS for Microsoft Windows technology, Proventia Network MFS, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection:

This signature detects the loading of the FoxPro FPOLE.OCX ActiveX control that an attacker could use to exploit a stack-based buffer overflow to execute arbitrary code on the victim's computer.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia-G 1.1 and earlier: XPU 27.110, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2120, Proventia Network MFS: XPU 27.110, Proventia Desktop: 2120, Proventia Network IPS: XPU 27.110, Proventia Server IPS for Linux technology: 27.110, RealSecure Network: XPU 27.110, RealSecure Server Sensor: XPU 27.110, BlackICE PC Protection: 3.6cqr, BlackICE Server Protection: 3.6.cqr

Systems affected

Microsoft Windows 2003 Server: x64, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows XP: Professional x64, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: SP2, Microsoft Internet Explorer: 7, Microsoft Windows Vista, Microsoft Windows 2003 Server: SP2, Microsoft Windows 2003 Server: SP2 Itanium, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 Professional x64, Microsoft Windows 2003 Server: SP2 x64, Microsoft Internet Explorer: 6, Microsoft Internet Explorer: 6 SP1, Microsoft Visual FoxPro: 6.0, Microsoft Internet Explorer: 5.01

Type

Unauthorized Access Attempt

Vulnerability description

The Microsoft Visual FoxPro ActiveX control is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the FoxDoCmd function. By persuading a victim to visit a malicious Web page using Internet Explorer, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superceded.

References

milw0rm.com [2007-09-06]
Microsoft Visual FoxPro 6.0 (FPOLE.OCX v. 6.0.8450.0) Remote PoC
http://milw0rm.com/exploits/4369

Microsoft Security Bulletin MS08-010
Cumulative Security Update for Internet Explorer (944533)
http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx

IBM Internet Security Systems Protection Alert - Feb. 12, 2008
Microsoft Visual FoxPro FPOLE.OCX ActiveX Control Buffer Overflow
http://www.iss.net/threats/286.html

Microsoft Security Bulletin MS08-024
Cumulative Security Update for Internet Explorer (947864)
http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx

ISS X-Force
Microsoft Visual FoxPro FPOLE.OCX ActiveX control buffer overflow
http://www.iss.net/security_center/static/36496.php

CVE
CVE-2007-4790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4790